feat: add email settings with database overrides for admin and vendor

Platform Email Settings (Admin): - Add GET/PUT/DELETE /admin/settings/email/* endpoints - Settings stored in admin_settings table override .env values - Support all providers: SMTP, SendGrid, Mailgun, Amazon SES - Edit mode UI with provider-specific configuration forms - Reset to .env defaults functionality - Test email to verify configuration Vendor Email Settings: - Add VendorEmailSettings model with one-to-one vendor relationship - Migration: v0a1b2c3d4e5_add_vendor_email_settings.py - Service: vendor_email_settings_service.py with tier validation - API endpoints: /vendor/email-settings/* (CRUD, status, verify) - Email tab in vendor settings page with full configuration - Warning banner until email is configured (like billing warnings) - Premium providers (SendGrid, Mailgun, SES) tier-gated to Business+ Email Service Updates: - get_platform_email_config(db) checks DB first, then .env - Configurable provider classes accept config dict - EmailService uses database-aware providers - Vendor emails use vendor's own SMTP (Wizamart doesn't pay) - "Powered by Wizamart" footer for Essential/Professional tiers - White-label (no footer) for Business/Enterprise tiers Other: - Add scripts/install.py for first-time platform setup - Add make install target - Update init-prod to include email template seeding 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-05 22:23:47 +01:00
parent ad28a8a9a3
commit 36603178c3
51 changed files with 4959 additions and 1141 deletions
--- a/app/api/v1/admin/settings.py
+++ b/app/api/v1/admin/settings.py
@@ -6,14 +6,17 @@ Provides endpoints for:
 - Viewing all platform settings
 - Creating/updating settings
 - Managing configuration by category
+- Email configuration status and testing
 """

 import logging

 from fastapi import APIRouter, Depends, Query
+from pydantic import BaseModel, EmailStr
 from sqlalchemy.orm import Session

 from app.api.deps import get_current_admin_api
+from app.core.config import settings as app_settings
 from app.core.database import get_db
 from app.exceptions import ConfirmationRequiredException, ResourceNotFoundException
 from app.services.admin_audit_service import admin_audit_service
@@ -286,3 +289,416 @@ def delete_setting(
    db.commit()

    return {"message": message}
+
+
+# ============================================================================
+# EMAIL CONFIGURATION ENDPOINTS
+# ============================================================================
+
+# Email setting keys stored in admin_settings table
+EMAIL_SETTING_KEYS = {
+    "email_provider": "smtp",
+    "email_from_address": "",
+    "email_from_name": "",
+    "email_reply_to": "",
+    "smtp_host": "",
+    "smtp_port": "587",
+    "smtp_user": "",
+    "smtp_password": "",
+    "smtp_use_tls": "true",
+    "smtp_use_ssl": "false",
+    "sendgrid_api_key": "",
+    "mailgun_api_key": "",
+    "mailgun_domain": "",
+    "aws_access_key_id": "",
+    "aws_secret_access_key": "",
+    "aws_region": "eu-west-1",
+    "email_enabled": "true",
+    "email_debug": "false",
+}
+
+
+def get_email_setting(db: Session, key: str) -> str | None:
+    """Get email setting from database, returns None if not set."""
+    setting = admin_settings_service.get_setting_by_key(db, key)
+    return setting.value if setting else None
+
+
+def get_effective_email_config(db: Session) -> dict:
+    """
+    Get effective email configuration.
+
+    Priority: Database settings > Environment variables
+    """
+    config = {}
+
+    # Provider
+    db_provider = get_email_setting(db, "email_provider")
+    config["provider"] = db_provider if db_provider else app_settings.email_provider
+
+    # From settings
+    db_from_email = get_email_setting(db, "email_from_address")
+    config["from_email"] = db_from_email if db_from_email else app_settings.email_from_address
+
+    db_from_name = get_email_setting(db, "email_from_name")
+    config["from_name"] = db_from_name if db_from_name else app_settings.email_from_name
+
+    db_reply_to = get_email_setting(db, "email_reply_to")
+    config["reply_to"] = db_reply_to if db_reply_to else app_settings.email_reply_to
+
+    # SMTP settings
+    db_smtp_host = get_email_setting(db, "smtp_host")
+    config["smtp_host"] = db_smtp_host if db_smtp_host else app_settings.smtp_host
+
+    db_smtp_port = get_email_setting(db, "smtp_port")
+    config["smtp_port"] = int(db_smtp_port) if db_smtp_port else app_settings.smtp_port
+
+    db_smtp_user = get_email_setting(db, "smtp_user")
+    config["smtp_user"] = db_smtp_user if db_smtp_user else app_settings.smtp_user
+
+    db_smtp_password = get_email_setting(db, "smtp_password")
+    config["smtp_password"] = db_smtp_password if db_smtp_password else app_settings.smtp_password
+
+    db_smtp_use_tls = get_email_setting(db, "smtp_use_tls")
+    config["smtp_use_tls"] = db_smtp_use_tls.lower() in ("true", "1", "yes") if db_smtp_use_tls else app_settings.smtp_use_tls
+
+    db_smtp_use_ssl = get_email_setting(db, "smtp_use_ssl")
+    config["smtp_use_ssl"] = db_smtp_use_ssl.lower() in ("true", "1", "yes") if db_smtp_use_ssl else app_settings.smtp_use_ssl
+
+    # SendGrid
+    db_sendgrid_key = get_email_setting(db, "sendgrid_api_key")
+    config["sendgrid_api_key"] = db_sendgrid_key if db_sendgrid_key else app_settings.sendgrid_api_key
+
+    # Mailgun
+    db_mailgun_key = get_email_setting(db, "mailgun_api_key")
+    config["mailgun_api_key"] = db_mailgun_key if db_mailgun_key else app_settings.mailgun_api_key
+
+    db_mailgun_domain = get_email_setting(db, "mailgun_domain")
+    config["mailgun_domain"] = db_mailgun_domain if db_mailgun_domain else app_settings.mailgun_domain
+
+    # AWS SES
+    db_aws_key = get_email_setting(db, "aws_access_key_id")
+    config["aws_access_key_id"] = db_aws_key if db_aws_key else app_settings.aws_access_key_id
+
+    db_aws_secret = get_email_setting(db, "aws_secret_access_key")
+    config["aws_secret_access_key"] = db_aws_secret if db_aws_secret else app_settings.aws_secret_access_key
+
+    db_aws_region = get_email_setting(db, "aws_region")
+    config["aws_region"] = db_aws_region if db_aws_region else app_settings.aws_region
+
+    # Behavior
+    db_enabled = get_email_setting(db, "email_enabled")
+    config["enabled"] = db_enabled.lower() in ("true", "1", "yes") if db_enabled else app_settings.email_enabled
+
+    db_debug = get_email_setting(db, "email_debug")
+    config["debug"] = db_debug.lower() in ("true", "1", "yes") if db_debug else app_settings.email_debug
+
+    # Track source for each field (DB override or .env)
+    config["_sources"] = {}
+    for key in ["provider", "from_email", "from_name", "smtp_host", "smtp_port"]:
+        db_key = "email_provider" if key == "provider" else ("email_from_address" if key == "from_email" else ("email_from_name" if key == "from_name" else key))
+        config["_sources"][key] = "database" if get_email_setting(db, db_key) else "env"
+
+    return config
+
+
+class EmailStatusResponse(BaseModel):
+    """Platform email configuration status."""
+
+    provider: str
+    from_email: str
+    from_name: str
+    reply_to: str | None = None
+    smtp_host: str | None = None
+    smtp_port: int | None = None
+    smtp_user: str | None = None
+    mailgun_domain: str | None = None
+    aws_region: str | None = None
+    debug: bool
+    enabled: bool
+    is_configured: bool
+    has_db_overrides: bool = False
+
+
+class EmailSettingsUpdate(BaseModel):
+    """Update email settings."""
+
+    provider: str | None = None
+    from_email: EmailStr | None = None
+    from_name: str | None = None
+    reply_to: EmailStr | None = None
+    # SMTP
+    smtp_host: str | None = None
+    smtp_port: int | None = None
+    smtp_user: str | None = None
+    smtp_password: str | None = None
+    smtp_use_tls: bool | None = None
+    smtp_use_ssl: bool | None = None
+    # SendGrid
+    sendgrid_api_key: str | None = None
+    # Mailgun
+    mailgun_api_key: str | None = None
+    mailgun_domain: str | None = None
+    # AWS SES
+    aws_access_key_id: str | None = None
+    aws_secret_access_key: str | None = None
+    aws_region: str | None = None
+    # Behavior
+    enabled: bool | None = None
+    debug: bool | None = None
+
+
+class TestEmailRequest(BaseModel):
+    """Request body for test email."""
+
+    to_email: EmailStr
+
+
+class TestEmailResponse(BaseModel):
+    """Response for test email."""
+
+    success: bool
+    message: str
+
+
+@router.get("/email/status", response_model=EmailStatusResponse)
+def get_email_status(
+    db: Session = Depends(get_db),
+    current_admin: User = Depends(get_current_admin_api),
+) -> EmailStatusResponse:
+    """
+    Get platform email configuration status.
+
+    Returns the effective email configuration (DB overrides > .env).
+    Sensitive values (passwords, API keys) are NOT exposed.
+    """
+    config = get_effective_email_config(db)
+    provider = config["provider"].lower()
+
+    # Determine if email is configured based on provider
+    is_configured = False
+    if provider == "smtp":
+        is_configured = bool(config["smtp_host"] and config["smtp_host"] != "localhost")
+    elif provider == "sendgrid":
+        is_configured = bool(config["sendgrid_api_key"])
+    elif provider == "mailgun":
+        is_configured = bool(config["mailgun_api_key"] and config["mailgun_domain"])
+    elif provider == "ses":
+        is_configured = bool(config["aws_access_key_id"] and config["aws_secret_access_key"])
+
+    # Check if any DB overrides exist
+    has_db_overrides = any(v == "database" for v in config["_sources"].values())
+
+    return EmailStatusResponse(
+        provider=provider,
+        from_email=config["from_email"],
+        from_name=config["from_name"],
+        reply_to=config["reply_to"] or None,
+        smtp_host=config["smtp_host"] if provider == "smtp" else None,
+        smtp_port=config["smtp_port"] if provider == "smtp" else None,
+        smtp_user=config["smtp_user"] if provider == "smtp" else None,
+        mailgun_domain=config["mailgun_domain"] if provider == "mailgun" else None,
+        aws_region=config["aws_region"] if provider == "ses" else None,
+        debug=config["debug"],
+        enabled=config["enabled"],
+        is_configured=is_configured,
+        has_db_overrides=has_db_overrides,
+    )
+
+
+@router.put("/email/settings")
+def update_email_settings(
+    settings_update: EmailSettingsUpdate,
+    db: Session = Depends(get_db),
+    current_admin: User = Depends(get_current_admin_api),
+):
+    """
+    Update platform email settings.
+
+    Settings are stored in the database and override .env values.
+    Only non-null values are updated.
+    """
+    from models.schema.admin import AdminSettingCreate
+
+    updated_keys = []
+
+    # Map request fields to database keys
+    field_mappings = {
+        "provider": ("email_provider", "string"),
+        "from_email": ("email_from_address", "string"),
+        "from_name": ("email_from_name", "string"),
+        "reply_to": ("email_reply_to", "string"),
+        "smtp_host": ("smtp_host", "string"),
+        "smtp_port": ("smtp_port", "integer"),
+        "smtp_user": ("smtp_user", "string"),
+        "smtp_password": ("smtp_password", "string"),
+        "smtp_use_tls": ("smtp_use_tls", "boolean"),
+        "smtp_use_ssl": ("smtp_use_ssl", "boolean"),
+        "sendgrid_api_key": ("sendgrid_api_key", "string"),
+        "mailgun_api_key": ("mailgun_api_key", "string"),
+        "mailgun_domain": ("mailgun_domain", "string"),
+        "aws_access_key_id": ("aws_access_key_id", "string"),
+        "aws_secret_access_key": ("aws_secret_access_key", "string"),
+        "aws_region": ("aws_region", "string"),
+        "enabled": ("email_enabled", "boolean"),
+        "debug": ("email_debug", "boolean"),
+    }
+
+    # Sensitive fields that should be marked as encrypted
+    sensitive_keys = {
+        "smtp_password", "sendgrid_api_key", "mailgun_api_key",
+        "aws_access_key_id", "aws_secret_access_key"
+    }
+
+    for field, (db_key, value_type) in field_mappings.items():
+        value = getattr(settings_update, field, None)
+        if value is not None:
+            # Convert value to string for storage
+            if value_type == "boolean":
+                str_value = "true" if value else "false"
+            elif value_type == "integer":
+                str_value = str(value)
+            else:
+                str_value = str(value)
+
+            # Create or update setting
+            setting_data = AdminSettingCreate(
+                key=db_key,
+                value=str_value,
+                value_type=value_type,
+                category="email",
+                description=f"Email setting: {field}",
+                is_encrypted=db_key in sensitive_keys,
+                is_public=False,
+            )
+
+            admin_settings_service.upsert_setting(db, setting_data, current_admin.id)
+            updated_keys.append(field)
+
+    # Log action
+    admin_audit_service.log_action(
+        db=db,
+        admin_user_id=current_admin.id,
+        action="update_email_settings",
+        target_type="email_settings",
+        target_id="platform",
+        details={"updated_keys": updated_keys},
+    )
+    db.commit()
+
+    logger.info(f"Email settings updated by admin {current_admin.id}: {updated_keys}")
+
+    return {
+        "success": True,
+        "message": f"Updated {len(updated_keys)} email setting(s)",
+        "updated_keys": updated_keys,
+    }
+
+
+@router.delete("/email/settings")
+def reset_email_settings(
+    db: Session = Depends(get_db),
+    current_admin: User = Depends(get_current_admin_api),
+):
+    """
+    Reset email settings to use .env values.
+
+    Deletes all email settings from the database, reverting to .env configuration.
+    """
+    deleted_count = 0
+
+    for key in EMAIL_SETTING_KEYS:
+        setting = admin_settings_service.get_setting_by_key(db, key)
+        if setting:
+            db.delete(setting)
+            deleted_count += 1
+
+    # Log action
+    admin_audit_service.log_action(
+        db=db,
+        admin_user_id=current_admin.id,
+        action="reset_email_settings",
+        target_type="email_settings",
+        target_id="platform",
+        details={"deleted_count": deleted_count},
+    )
+    db.commit()
+
+    logger.info(f"Email settings reset by admin {current_admin.id}, deleted {deleted_count} settings")
+
+    return {
+        "success": True,
+        "message": f"Reset {deleted_count} email setting(s) to .env defaults",
+    }
+
+
+@router.post("/email/test", response_model=TestEmailResponse)
+def send_test_email(
+    request: TestEmailRequest,
+    db: Session = Depends(get_db),
+    current_admin: User = Depends(get_current_admin_api),
+) -> TestEmailResponse:
+    """
+    Send a test email using the platform email configuration.
+
+    This tests the email provider configuration from environment variables.
+    """
+    from app.services.email_service import EmailService
+
+    try:
+        email_service = EmailService(db)
+
+        # Send test email using platform configuration
+        success = email_service.send_raw(
+            to_email=request.to_email,
+            to_name=None,
+            subject="Wizamart Platform - Test Email",
+            body_html="""
+            <html>
+            <body style="font-family: Arial, sans-serif; padding: 20px;">
+                <h2 style="color: #6b46c1;">Test Email from Wizamart</h2>
+                <p>This is a test email to verify your platform email configuration.</p>
+                <p>If you received this email, your email settings are working correctly!</p>
+                <hr style="border: none; border-top: 1px solid #e5e7eb; margin: 20px 0;">
+                <p style="color: #6b7280; font-size: 12px;">
+                    Provider: {provider}<br>
+                    From: {from_email}
+                </p>
+            </body>
+            </html>
+            """.format(
+                provider=app_settings.email_provider,
+                from_email=app_settings.email_from_address,
+            ),
+            body_text=f"Test email from Wizamart platform.\n\nProvider: {app_settings.email_provider}\nFrom: {app_settings.email_from_address}",
+            is_platform_email=True,
+        )
+
+        if success:
+            # Log action
+            admin_audit_service.log_action(
+                db=db,
+                admin_user_id=current_admin.id,
+                action="send_test_email",
+                target_type="email",
+                target_id=request.to_email,
+                details={"provider": app_settings.email_provider},
+            )
+            db.commit()
+
+            return TestEmailResponse(
+                success=True,
+                message=f"Test email sent to {request.to_email}",
+            )
+        else:
+            return TestEmailResponse(
+                success=False,
+                message="Failed to send test email. Check server logs for details.",
+            )
+
+    except Exception as e:
+        logger.error(f"Failed to send test email: {e}")
+        return TestEmailResponse(
+            success=False,
+            message=f"Error sending test email: {str(e)}",
+        )
--- a/app/api/v1/vendor/init.py
+++ b/app/api/v1/vendor/init.py
@@ -20,6 +20,7 @@ from . import (
    content_pages,
    customers,
    dashboard,
+    email_settings,
    email_templates,
    features,
    info,
@@ -61,6 +62,7 @@ router.include_router(dashboard.router, tags=["vendor-dashboard"])
 router.include_router(profile.router, tags=["vendor-profile"])
 router.include_router(settings.router, tags=["vendor-settings"])
 router.include_router(email_templates.router, tags=["vendor-email-templates"])
+router.include_router(email_settings.router, tags=["vendor-email-settings"])
 router.include_router(onboarding.router, tags=["vendor-onboarding"])

 # Business operations (with prefixes: /products/*, /orders/*, etc.)
--- a/app/api/v1/vendor/content_pages.py
+++ b/app/api/v1/vendor/content_pages.py
@@ -2,6 +2,9 @@
 """
 Vendor Content Pages API

+Vendor Context: Uses token_vendor_id from JWT token (authenticated vendor API pattern).
+The get_current_vendor_api dependency guarantees token_vendor_id is present.
+
 Vendors can:
 - View their content pages (includes platform defaults)
 - Create/edit/delete their own content page overrides
@@ -15,11 +18,10 @@ from pydantic import BaseModel, Field
 from sqlalchemy.orm import Session

 from app.api.deps import get_current_vendor_api, get_db
-from app.exceptions.content_page import VendorNotAssociatedException
 from app.services.content_page_service import content_page_service
 from models.database.user import User

-router = APIRouter()
+router = APIRouter(prefix="/content-pages")
 logger = logging.getLogger(__name__)


@@ -111,11 +113,8 @@ def list_vendor_pages(

    Returns vendor-specific overrides + platform defaults (vendor overrides take precedence).
    """
-    if not current_user.vendor_id:
-        raise VendorNotAssociatedException()
-
    pages = content_page_service.list_pages_for_vendor(
-        db, vendor_id=current_user.vendor_id, include_unpublished=include_unpublished
+        db, vendor_id=current_user.token_vendor_id, include_unpublished=include_unpublished
    )

    return [page.to_dict() for page in pages]
@@ -132,11 +131,8 @@ def list_vendor_overrides(

    Shows what the vendor has customized.
    """
-    if not current_user.vendor_id:
-        raise VendorNotAssociatedException()
-
    pages = content_page_service.list_all_vendor_pages(
-        db, vendor_id=current_user.vendor_id, include_unpublished=include_unpublished
+        db, vendor_id=current_user.token_vendor_id, include_unpublished=include_unpublished
    )

    return [page.to_dict() for page in pages]
@@ -154,13 +150,10 @@ def get_page(

    Returns vendor override if exists, otherwise platform default.
    """
-    if not current_user.vendor_id:
-        raise VendorNotAssociatedException()
-
    page = content_page_service.get_page_for_vendor_or_raise(
        db,
        slug=slug,
-        vendor_id=current_user.vendor_id,
+        vendor_id=current_user.token_vendor_id,
        include_unpublished=include_unpublished,
    )

@@ -178,15 +171,12 @@ def create_vendor_page(

    This will be shown instead of the platform default for this vendor.
    """
-    if not current_user.vendor_id:
-        raise VendorNotAssociatedException()
-
    page = content_page_service.create_page(
        db,
        slug=page_data.slug,
        title=page_data.title,
        content=page_data.content,
-        vendor_id=current_user.vendor_id,
+        vendor_id=current_user.token_vendor_id,
        content_format=page_data.content_format,
        meta_description=page_data.meta_description,
        meta_keywords=page_data.meta_keywords,
@@ -214,14 +204,11 @@ def update_vendor_page(

    Can only update pages owned by this vendor.
    """
-    if not current_user.vendor_id:
-        raise VendorNotAssociatedException()
-
    # Update with ownership check in service layer
    page = content_page_service.update_vendor_page(
        db,
        page_id=page_id,
-        vendor_id=current_user.vendor_id,
+        vendor_id=current_user.token_vendor_id,
        title=page_data.title,
        content=page_data.content,
        content_format=page_data.content_format,
@@ -251,9 +238,6 @@ def delete_vendor_page(
    Can only delete pages owned by this vendor.
    After deletion, platform default will be shown (if exists).
    """
-    if not current_user.vendor_id:
-        raise VendorNotAssociatedException()
-
    # Delete with ownership check in service layer
-    content_page_service.delete_vendor_page(db, page_id, current_user.vendor_id)
+    content_page_service.delete_vendor_page(db, page_id, current_user.token_vendor_id)
    db.commit()
--- a/app/api/v1/vendor/email_settings.py
+++ b/app/api/v1/vendor/email_settings.py
@@ -0,0 +1,225 @@
+# app/api/v1/vendor/email_settings.py
+"""
+Vendor email settings API endpoints.
+
+Allows vendors to configure their email sending settings:
+- SMTP configuration (all tiers)
+- Advanced providers: SendGrid, Mailgun, SES (Business+ tier)
+- Sender identity (from_email, from_name, reply_to)
+- Signature/footer customization
+- Configuration verification via test email
+
+Vendor Context: Uses token_vendor_id from JWT token (authenticated vendor API pattern).
+"""
+
+import logging
+
+from fastapi import APIRouter, Depends, HTTPException
+from pydantic import BaseModel, EmailStr, Field
+from sqlalchemy.orm import Session
+
+from app.api.deps import get_current_vendor_api
+from app.core.database import get_db
+from app.exceptions import NotFoundError, ValidationError, AuthorizationError
+from app.services.vendor_email_settings_service import VendorEmailSettingsService
+from app.services.subscription_service import subscription_service
+from models.database.user import User
+
+router = APIRouter(prefix="/email-settings")
+logger = logging.getLogger(__name__)
+
+
+# =============================================================================
+# SCHEMAS
+# =============================================================================
+
+
+class EmailSettingsUpdate(BaseModel):
+    """Schema for creating/updating email settings."""
+
+    # Sender Identity (Required)
+    from_email: EmailStr = Field(..., description="Sender email address")
+    from_name: str = Field(..., min_length=1, max_length=100, description="Sender name")
+    reply_to_email: EmailStr | None = Field(None, description="Reply-to email address")
+
+    # Signature (Optional)
+    signature_text: str | None = Field(None, description="Plain text signature")
+    signature_html: str | None = Field(None, description="HTML signature/footer")
+
+    # Provider
+    provider: str = Field("smtp", description="Email provider: smtp, sendgrid, mailgun, ses")
+
+    # SMTP Settings
+    smtp_host: str | None = Field(None, description="SMTP server hostname")
+    smtp_port: int | None = Field(587, ge=1, le=65535, description="SMTP server port")
+    smtp_username: str | None = Field(None, description="SMTP username")
+    smtp_password: str | None = Field(None, description="SMTP password")
+    smtp_use_tls: bool = Field(True, description="Use STARTTLS")
+    smtp_use_ssl: bool = Field(False, description="Use SSL/TLS (port 465)")
+
+    # SendGrid
+    sendgrid_api_key: str | None = Field(None, description="SendGrid API key")
+
+    # Mailgun
+    mailgun_api_key: str | None = Field(None, description="Mailgun API key")
+    mailgun_domain: str | None = Field(None, description="Mailgun sending domain")
+
+    # SES
+    ses_access_key_id: str | None = Field(None, description="AWS access key ID")
+    ses_secret_access_key: str | None = Field(None, description="AWS secret access key")
+    ses_region: str | None = Field("eu-west-1", description="AWS region")
+
+
+class VerifyEmailRequest(BaseModel):
+    """Schema for verifying email settings."""
+
+    test_email: EmailStr = Field(..., description="Email address to send test email to")
+
+
+# =============================================================================
+# ENDPOINTS
+# =============================================================================
+
+
+@router.get("")
+def get_email_settings(
+    current_user: User = Depends(get_current_vendor_api),
+    db: Session = Depends(get_db),
+):
+    """
+    Get current email settings for the vendor.
+
+    Returns settings with sensitive fields masked.
+    """
+    vendor_id = current_user.token_vendor_id
+    service = VendorEmailSettingsService(db)
+
+    settings = service.get_settings(vendor_id)
+    if not settings:
+        return {
+            "configured": False,
+            "settings": None,
+            "message": "Email settings not configured. Configure SMTP to send emails to customers.",
+        }
+
+    return {
+        "configured": settings.is_configured,
+        "verified": settings.is_verified,
+        "settings": settings.to_dict(),
+    }
+
+
+@router.get("/status")
+def get_email_status(
+    current_user: User = Depends(get_current_vendor_api),
+    db: Session = Depends(get_db),
+):
+    """
+    Get email configuration status.
+
+    Used by frontend to show warning banner if not configured.
+    """
+    vendor_id = current_user.token_vendor_id
+    service = VendorEmailSettingsService(db)
+    return service.get_status(vendor_id)
+
+
+@router.get("/providers")
+def get_available_providers(
+    current_user: User = Depends(get_current_vendor_api),
+    db: Session = Depends(get_db),
+):
+    """
+    Get available email providers for current tier.
+
+    Returns list of providers with availability status.
+    """
+    vendor_id = current_user.token_vendor_id
+    service = VendorEmailSettingsService(db)
+
+    # Get vendor's current tier
+    tier = subscription_service.get_current_tier(db, vendor_id)
+
+    return {
+        "providers": service.get_available_providers(tier),
+        "current_tier": tier.value if tier else None,
+    }
+
+
+@router.put("")
+def update_email_settings(
+    data: EmailSettingsUpdate,
+    current_user: User = Depends(get_current_vendor_api),
+    db: Session = Depends(get_db),
+):
+    """
+    Create or update email settings.
+
+    Premium providers (SendGrid, Mailgun, SES) require Business+ tier.
+    """
+    vendor_id = current_user.token_vendor_id
+    service = VendorEmailSettingsService(db)
+
+    # Get vendor's current tier for validation
+    tier = subscription_service.get_current_tier(db, vendor_id)
+
+    try:
+        settings = service.create_or_update(
+            vendor_id=vendor_id,
+            data=data.model_dump(exclude_unset=True),
+            current_tier=tier,
+        )
+        return {
+            "success": True,
+            "message": "Email settings updated successfully",
+            "settings": settings.to_dict(),
+        }
+    except AuthorizationError as e:
+        raise HTTPException(status_code=403, detail=str(e))
+    except ValidationError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
+
+@router.post("/verify")
+def verify_email_settings(
+    data: VerifyEmailRequest,
+    current_user: User = Depends(get_current_vendor_api),
+    db: Session = Depends(get_db),
+):
+    """
+    Verify email settings by sending a test email.
+
+    Sends a test email to the provided address and updates verification status.
+    """
+    vendor_id = current_user.token_vendor_id
+    service = VendorEmailSettingsService(db)
+
+    try:
+        result = service.verify_settings(vendor_id, data.test_email)
+        if result["success"]:
+            return result
+        else:
+            raise HTTPException(status_code=400, detail=result["message"])
+    except NotFoundError as e:
+        raise HTTPException(status_code=404, detail=str(e))
+    except ValidationError as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
+
+@router.delete("")
+def delete_email_settings(
+    current_user: User = Depends(get_current_vendor_api),
+    db: Session = Depends(get_db),
+):
+    """
+    Delete email settings.
+
+    Warning: This will disable email sending for the vendor.
+    """
+    vendor_id = current_user.token_vendor_id
+    service = VendorEmailSettingsService(db)
+
+    if service.delete(vendor_id):
+        return {"success": True, "message": "Email settings deleted"}
+    else:
+        raise HTTPException(status_code=404, detail="Email settings not found")